b'                                                                 Issue Date\n                                                                         February 26, 2010\n                                                                 Audit Report Number\n                                                                         2010-PH-0001\n\n\n\n\nTO:        Vicki B. Bott, Deputy Assistant Secretary for Single Family Housing, HU\n           //signed//\nFROM:      John P. Buck, Regional Inspector General for Audit, Philadelphia Region,\n             3AGA\n\nSUBJECT:   HUD\xe2\x80\x99s Philadelphia, PA, Homeownership Center Did Not Always Ensure\n            That Required Background Investigations Were Completed for Its Contracted\n            Employees\n\n\n\n                                  HIGHLIGHTS\n\n What We Audited and Why\n\n           In accordance with our annual audit plan and due to concerns regarding the U.S.\n           Department of Housing and Urban Development\xe2\x80\x99s (HUD) capacity to handle the\n           increasing demand for loans insured by the Federal Housing Administration\n           (FHA), we initiated an audit of HUD\xe2\x80\x99s Philadelphia, PA, Homeownership Center\n           (Center). This is the first of two audit reports that we plan to issue on the Center\xe2\x80\x99s\n           capacity to process current demand for FHA loans. The audit objective addressed\n           in this report was to determine whether the Center processed FHA loan\n           applications in accordance with applicable policies and procedures and ensured\n           that required background investigations were completed for its contracted\n           employees that performed functions associated with FHA loans.\n\n What We Found\n\n           The Center generally processed FHA loans in accordance with applicable policies\n           and procedures. However, it did not always ensure that required background\n           investigations were completed for its contracted employees that were responsible\n\x0c           for processing FHA loan applications and monitoring the quality of lenders\xe2\x80\x99\n           underwriting. The Center had 29 contracted employees that were responsible for\n           performing functions associated with FHA loans. Of the 29 contracted\n           employees, 16, or 55 percent, had not been through minimum background\n           investigations required by contract clauses and HUD\xe2\x80\x99s policies on personnel\n           security/suitability. HUD spent more than $5.4 million on services from\n           contracted employees that may not have been eligible to access its computer\n           systems and other information sources containing sensitive personally identifiable\n           information.\n\nWhat We Recommend\n\n           We recommend that the Deputy Assistant Secretary for Single Family Housing\n           direct the Center to (1) initiate and follow up on the required minimum\n           background investigations for its contracted employees that have not been\n           investigated to justify more than $5.4 million spent on the related contracts and\n           (2) develop and implement controls to ensure that its contracted employees\n           comply with contract terms and applicable HUD security policies.\n\n           For each recommendation without a management decision, please respond and\n           provide status reports in accordance with HUD Handbook 2000.06, REV-3.\n           Please furnish us copies of any correspondence or directives issued because of the\n           audit.\n\nAuditee\xe2\x80\x99s Response\n\n           We discussed the report with HUD during the audit and at an exit conference on\n           February 2, 2010. HUD provided written comments to our draft report on\n           February 23, 2010. HUD agreed with the finding and recommendations. The\n           complete text of HUD\xe2\x80\x99s response is in appendix B of this report.\n\n\n\n\n                                            2\n\x0c                             TABLE OF CONTENTS\n\nBackground and Objective                                                              4\n\nResults of Audit\n        Finding: HUD\xe2\x80\x99s Philadelphia Homeownership Center Did Not Always Ensure        5\n          That Required Background Investigations Were Completed for Its Contracted\n          Employees\n\nScope and Methodology                                                                 10\n\nInternal Controls                                                                     11\n\nAppendixes\n   A.   Schedule of Questioned Costs and Funds To Be Put to Better Use                12\n   B.   Auditee Comments                                                              13\n   C.   Schedule of Contractors\xe2\x80\x99 Training Status\n                                                                                      19\n   D.   Schedule of Contracts and Related Expenditures\n                                                                                      20\n\n\n\n\n                                              3\n\x0c                      BACKGROUND AND OBJECTIVE\n\nThe U.S. Department of Housing and Urban Development\xe2\x80\x99s (HUD) strategic plan states that part\nof its mission is to increase homeownership, support community development, and increase\naccess to affordable housing free from discrimination. HUD\xe2\x80\x99s overall strategy to advance this\ngoal is to carefully apply public-sector dollars, whether through mortgage insurance, grants,\nloans, or direct subsidies, to leverage the private market and make it easier for low- and\nmoderate-income Americans to buy and keep their own homes.\n\nThe National Housing Act, as amended, established the Federal Housing Administration (FHA),\nan organizational unit within HUD. FHA provides insurance for lenders against loss on single-\nfamily home mortgages. FHA insurance helps first-time home buyers and other families who\ncould have difficulties in obtaining a mortgage by reducing the risk to private lenders.\n\nHUD\xe2\x80\x99s Office of Single Family Housing handles the overall management, policy direction and\nadministration of all single family insurance programs. Policy development and oversight are\nperformed in three offices: Program Development, Asset Management, and Lender Activities\nand Program Compliance, located in Washington, DC. Program policy is implemented by\nHUD\xe2\x80\x99s four Homeownership Centers in Philadelphia, PA; Santa Ana, CA; Atlanta, GA; and\nDenver, CO. The Homeownership Centers insure single-family FHA mortgages and oversee the\nselling of HUD homes. They implement underwriting and insuring standards; monitor loan\norigination and servicing; administer nonprofit/housing counseling grant programs; and provide\ntraining, guidance, and technical assistance to HUD staff and customers.\n\nThe Philadelphia Homeownership Center (Center) employs 218 staff members, 79 of whom are\nlocated in its Processing and Underwriting Division. Part of the division\xe2\x80\x99s responsibilities\ninclude overseeing contracted employees that perform data entry, endorsement, and post\nendorsement technical review functions associated with FHA loans. The data entry function\nprimarily involves entries into HUD\xe2\x80\x99s Computerized Homes Underwriting Management System\nto reflect the receipt and assignment loan case files submitted to HUD for insurance\nendorsement. The endorsement process entails a review to determine whether loan files\nsubmitted for insurance endorsement include all documents required by HUD. The post\nendorsement technical review is performed to monitor the quality of lenders\xe2\x80\x99 underwriting and to\nidentify the degree of risk associated with each loan insured.\n\nHUD contracted with Horizon Consulting, Inc. (Horizon), headquartered in Lansdowne, VA, to\nperform data entry, endorsements, and post endorsement technical reviews. The Horizon\nemployees process all of the Center\xe2\x80\x99s data entry and endorsements and some of its post\nendorsement technical reviews. The Center had two government technical representatives that\nwere responsible for the technical administration of the contracts.\n\nOur audit objective was to determine whether the Center processed FHA loan applications in\naccordance with applicable policies and procedures and ensured that required background\ninvestigations were completed for its contracted employees that performed functions associated\nwith FHA loans.\n\n                                               4\n\x0c                                        RESULTS OF AUDIT\n\nFinding: HUD\xe2\x80\x99s Philadelphia Homeownership Center Did Not Always\nEnsure That Required Background Investigations Were Completed for\nIts Contracted Employees\nThe Center did not ensure that background investigations were completed as required for more\nthan half its contracted employees that were responsible for processing FHA loan applications\nand reviewing approved FHA loan files to monitor the quality of lenders\xe2\x80\x99 underwriting. Also,\nmore than one-third of the contracted employees had not taken security awareness training\nrequired by HUD\xe2\x80\x99s information technology (IT) security policy. The deficiencies occurred\nbecause the Center lacked controls to ensure that its contracted employees complied with HUD\xe2\x80\x99s\nsecurity policies related to employee background investigations and IT security awareness. As a\nresult, HUD spent more than $5.4 million on services from contracted employees that may not\nhave been eligible to access its computer systems and other information sources containing\nsensitive personally identifiable information.\n\n\n\n\n    Minimum Background\n    Investigations Were Not Always\n    Completed\n\n\n                  HUD entered into separate contracts with Horizon, headquartered in Lansdowne,\n                  VA, to perform data entry, endorsement, and postendorsement technical review\n                  functions associated with FHA loans. There were 29 Horizon employees that\n                  performed these functions for the Center. The breakdown of the employees under\n                  the contracts was as follows: 3 for data entry, 18 for endorsements, and 8 for\n                  postendorsement technical reviews.\n\n                  Our review of records on the 29 employees indicated that 16, or 55 percent, had\n                  not been through the minimum background investigation required via clauses\n                  incorporated into the contracts. These employees included all of the employees\n                  that performed the data entry and postendorsement technical reviews and 5 of the\n                  18 that performed the endorsements. The employees had access to HUD systems\n                  and other sources of information with personally identifiable information1 on\n                  FHA loan applicants including names, addresses, Social Security numbers, dates\n                  of birth, bank account numbers, credit reports, Internal Revenue Service W-2\n\n1\n  The term \xe2\x80\x9cpersonally identifiable information\xe2\x80\x9d refers to information which can be used to distinguish or trace an\nindividual\xe2\x80\x99s identity, such as name, Social Security number, biometric records, etc., alone, or when combined with\nother personal or identifying information which is linked or linkable to a specific individual, such as date and place\nof birth, mother\xe2\x80\x99s maiden name, etc. (Office of Management and Budget Memorandum M-07-16)\n\n                                                           5\n\x0c                  statements, and tax returns. According to Office of Management and Budget\n                  Memorandum M-07-16, safeguarding personally identifiable information in the\n                  possession of the government and preventing its breach are essential to ensure that\n                  the government retains the trust of the American public.\n\n                  All three contracts with Horizon contained a clause stating that contracted\n                  employees would be required to have access to HUD systems and that they would\n                  be required to provide personal information and undergo background\n                  investigations before being permitted access to HUD systems in performance of\n                  the contracts. The clause stated that more extensive background investigations\n                  would be required for contracted employees requiring access to mission-critical2\n                  systems or sensitive information contained within HUD systems or applications.\n                  Also, according to HUD\xe2\x80\x99s handbook on personnel security/suitability,3 a\n                  minimum background investigation is required for all contractors working on\n                  behalf of HUD. The minimum investigation includes searches of the Office of\n                  Personnel Management\xe2\x80\x99s Security/Suitability Investigations Index, the Federal\n                  Bureau of Investigation\xe2\x80\x99s arrest and investigation records, and written inquiries\n                  covering specific areas of a person\xe2\x80\x99s background during the most recent 5 years.\n\n                  As stated above, the contracted employees had access to sensitive personally\n                  identifiable information. The Center\xe2\x80\x99s failure to ensure the suitability of the\n                  employees to access such information could lead to potential abuses of HUD\n                  computer systems and access to sensitive information, which could seriously\n                  compromise data.\n\n    Contracted Employees Did Not\n    Complete Required IT Security\n    Awareness Training\n\n\n                  Based on the requirements of the Federal Information Systems Management Act\n                  (FISMA) as incorporated into HUD\xe2\x80\x99s IT security policy, the Center\xe2\x80\x99s contracted\n                  employees should have taken IT security awareness training annually. FISMA\n                  requires each Federal agency to develop, document, and implement an agency-\n                  wide program to provide information security for the information and information\n                  systems that support the operations and assets of the agency, including those\n                  provided or managed by another agency, contractor, or other source. HUD\xe2\x80\x99s IT\n                  security policy states that basic security awareness training is required at\n                  orientation and annually by the determined date established by the Office of\n                  Management and Budget to meet the FISMA legislation requirement. We\n\n\n2\n  HUD defines mission critical systems or functions as \xe2\x80\x9cthose functions that enable Federal Executive Branch\nagencies to provide vital services, exercise civil authority, maintain the safety and well-being of the general public,\nand sustain the industrial/economic base during an emergency.\xe2\x80\x9d\n3\n  HUD Handbook 732.3, REV-1, paragraphs 3-1B and 4-5B\n\n\n\n                                                           6\n\x0c           requested training certificates for the 29 Horizon employees to test the Center\xe2\x80\x99s\n           compliance with the requirement.\n\n           Of the 18 Horizon employees performing the endorsements, only one had taken\n           the required training before our request for the training certificates. Sixteen of the\n           endorsement employees and all three of the data entry employees took the training\n           after we requested the training certificates. The employees took the training\n           between October 9 and October 14, 2009. The remaining endorsement employee\n           had not taken the training as of the completion of our fieldwork. Also, none of\n           the eight contracted employees working on the postendorsement technical reviews\n           was up to date on the training requirement. One employee last took the training\n           in June 2006, and three employees last took the training in August 2007. For the\n           remaining four employees, there was no documentation to indicate that they had\n           ever taken the training. As of the completion of our fieldwork, nine, or one-third,\n           of the contracted employees had not completed the required annual security\n           awareness training (see appendix C).\n\n           A key objective of an effective IT security program is to ensure that all employees\n           and contractors understand their roles and responsibilities and are adequately\n           trained to perform them. HUD cannot protect the confidentiality, integrity, and\n           availability of its information systems and the information they contain without\n           the knowledge and active participation of its employees and contractors in the\n           implementation of sound security principles. To ensure that its contracted\n           employees understand their roles and responsibilities in protecting IT and related\n           data, the Center must ensure that its contracted employees take the required\n           annual security awareness training in accordance with HUD\xe2\x80\x99s IT security policy.\n\nThe Center Lacked Controls To\nEnsure That It Complied With\nSecurity Policies\n\n\n          The Center lacked controls to ensure that its contracted personnel complied with\n          HUD\xe2\x80\x99s security policies related to background investigations and IT security\n          awareness. Although the contracts with Horizon included clauses that indicated\n          background investigations were required, government technical representatives\n          (representatives) responsible for administering the contracts were not aware of\n          contract requirements pertaining to background investigations or that all contracted\n          employees had not been through the required investigations. The representatives\xe2\x80\x99\n          duties included ensuring that the contractor established and complied with HUD\xe2\x80\x99s\n          personnel security requirements. In certain cases, background investigations had\n          been initiated; however, the initial background information forms submitted were\n          returned to the employees because they were incomplete. The employees did not\n          resubmit the forms, and the representatives did not follow up and take action to\n          ensure that the investigations were completed. They also did not ensure that the\n\n\n\n                                             7\n\x0c             contracted employees had completed annual security awareness training as\n             required.\n\n             As stated above, the representatives were responsible for ensuring the contractor\xe2\x80\x99s\n             compliance with HUD\xe2\x80\x99s personnel security requirements and should have ensured\n             that the contracted employees had been through the necessary background\n             investigations and completed the required security awareness training. The Center\n             needs to develop and implement controls to ensure that the representatives\n             responsible for administering the contracts are aware of all contract terms and\n             requirements and ensure that the requirements are enforced.\n\nConclusion\n\n\n             The Center did not ensure that required background investigations were\n             completed for all of its contracted employees that were responsible for processing\n             FHA loan applications and monitoring the quality of lenders\xe2\x80\x99 underwriting. It\n             also did not ensure that all of the employees had taken IT security awareness\n             training in accordance with HUD\xe2\x80\x99s IT security policy. These deficiencies\n             occurred because the Center lacked controls to ensure that its contracted\n             employees complied with HUD\xe2\x80\x99s security policies related to employee\n             background investigations and IT security awareness. Horizon breached its\n             contract with HUD when it did not ensure that all its employees complied with\n             HUD\xe2\x80\x99s personnel security requirements. Therefore HUD needs to justify more\n             than $5.4 million (see appendix D) in funds already spent on the related contracts\n             by providing documentation to show that it has performed the required\n             background investigations to determine the suitability of the contracted\n             employees for their duties and responsibilities. HUD also needs to ensure that the\n             Center implements sufficient controls to prevent approximately $2.2 million from\n             being spent annually on contracted employees that may not be eligible to access\n             its computer systems and other information sources containing sensitive\n             personally identifiable information.\n\nRecommendations\n\n\n\n             We recommend that the Deputy Assistant Secretary for Single Family Housing\n             direct the Philadelphia Homeownership Center to\n\n             1A.     Initiate the minimum required background investigations for its contracted\n                     employees and conduct monthly follow-ups to monitor the status of the\n                     investigations to ensure that HUD security requirements are met and to\n                     justify $5,438,372 awarded for the related contracts. In cases where the\n                     contractor(s) fail to submit the necessary required paperwork, terminate all\n\n\n\n                                               8\n\x0c      HUD systems access for the employees within 30 days of the request for\n      the paperwork.\n\n1B.   Develop and implement procedures for tracking the status of background\n      investigations for its contracted employees and ensure that they are\n      completed to prevent $2,175,348 from being spent annually on employees\n      that may not be suitable for their duties.\n\n1C.   Ensure that all contracted employees in the Center annually take\n      mandatory IT security awareness training as described in HUD\xe2\x80\x99s IT\n      security policy.\n\n1D.   Emphasize HUD\xe2\x80\x99s security policies to the Center\xe2\x80\x99s government technical\n      representatives to ensure that they are aware of their responsibility to\n      ensure that contracted employees undergo background investigations and\n      complete IT security awareness training as required.\n\n\n\n\n                               9\n\x0c                         SCOPE AND METHODOLOGY\n\nWe performed our audit at HUD\xe2\x80\x99s Philadelphia, PA, Center offices from April through\nNovember 2009. The audit covered the period October 2006 through March 2009; however, we\nexpanded the scope when necessary to include other periods.\n\nWe used computer-processed data only in conjunction with other supporting documents and\ninformation to reach our conclusions and determined that the data were sufficiently reliable for\nour purposes.\n\nTo accomplish our objective to determine whether the Center processed FHA loan applications\nin accordance with applicable policies and procedures and ensured that required background\ninvestigations were completed for its contracted employees that performed functions associated\nwith FHA loans, we\n\n       Analyzed a random sample of five loan case files to determine whether the Center\n       performed endorsements in accordance with HUD policies and procedures.\n\n       Analyzed a random sample of five loan files to determine whether the Center performed\n       postendorsement technical reviews in accordance with HUD policies and procedures.\n\n       Conducted interviews with various division directors and staff in the Center, as well as\n       contracted employees.\n\n       Interviewed key functional managers and/or staff of the Office of Single Family Housing\n       and the Office of Security and Emergency Planning at HUD headquarters.\n\n       Reviewed and analyzed the background check summaries for the Horizon contract\n       employees that performed data entry, endorsements, and postendorsement technical\n       reviews for the Center.\n\n       Reviewed HUD policies on personnel suitability and IT security; mortgagee letters; and\n       other applicable HUD policies, procedures, and regulations.\n\nWe calculated the funds to be put to better use by dividing the total unsupported costs\n($5,438,372) by the number of months (30) in our review period and multiplying the result\n(181,279) by 12 months to obtain the potential annual savings ($2,175,348).\n\nWe conducted the audit in accordance with generally accepted government auditing standards.\nThose standards require that we plan and perform the audit to obtain sufficient, appropriate\nevidence to provide a reasonable basis for our findings and conclusions based on our audit\nobjective. We believe that the evidence obtained provides a reasonable basis for our findings\nand conclusions based on our audit objective.\n\n\n\n                                                10\n\x0c                              INTERNAL CONTROLS\n\nInternal control is an integral component of an organization\xe2\x80\x99s management that provides\nreasonable assurance that the following controls are achieved:\n\n       Program operations,\n       Relevance and reliability of information,\n       Compliance with applicable laws and regulations, and\n       Safeguarding of assets and resources.\n\nInternal controls relate to management\xe2\x80\x99s plans, methods, and procedures used to meet its\nmission, goals, and objectives. They include the processes and procedures for planning,\norganizing, directing, and controlling program operations as well as the systems for measuring,\nreporting, and monitoring program performance.\n\n\n\n Relevant Internal Controls\n\n\n              We determined that the following internal controls were relevant to our audit\n              objective:\n\n                      Program operations \xe2\x80\x93 Policies and procedures that management has\n                      implemented to reasonably ensure that a program meets its objectives.\n\n                      Compliance with laws and regulations \xe2\x80\x93 Policies and procedures that\n                      management has implemented to reasonably ensure that resource use is\n                      consistent with laws and regulations.\n\n              We assessed the relevant controls identified above.\n\n              A significant weakness exists if management controls do not provide reasonable\n              assurance that the process for planning, organizing, directing, and controlling\n              program operations will meet the organization\xe2\x80\x99s objectives.\n\n\n Significant Weaknesses\n\n\n              Based on our review, we believe that the following item is a significant weakness:\n\n                      The Center lacked controls to ensure that its contracted personnel\n                      complied with HUD\xe2\x80\x99s security policies related to employee background\n                      investigations and IT security awareness.\n\n                                               11\n\x0c                                   APPENDIXES\n\nAppendix A\n              SCHEDULE OF QUESTIONED COSTS\n             AND FUNDS TO BE PUT TO BETTER USE\n\n\n          Recommendation            Unsupported 1/              Funds to be put\n                  number                                        to better use 2/\n               1A                      $5,438,372\n               1B                                                 $2,175,348\n\n1/   Unsupported costs are those costs charged to a HUD-financed or HUD-insured program\n     or activity when we cannot determine eligibility at the time of the audit. Unsupported\n     costs require a decision by HUD program officials. This decision, in addition to\n     obtaining supporting documentation, might involve a legal interpretation or clarification\n     of departmental policies and procedures.\n\n2/   Recommendations that funds be put to better use are estimates of amounts that could be\n     used more efficiently if an Office of Inspector General (OIG) recommendation is\n     implemented. These amounts include reductions in outlays, deobligation of funds,\n     withdrawal of interest, costs not incurred by implementing recommended improvements,\n     avoidance of unnecessary expenditures noted in preaward reviews, and any other savings\n     that are specifically identified. In this instance, if HUD implements our recommendation,\n     it will cease to incur contract costs for contractors that have not been determined to be\n     suitable for their duties and, instead, will expend those funds for contracts that meet\n     HUD\xe2\x80\x99s standards, thereby putting approximately $2.2 million in funds to better use.\n     Once HUD successfully implements our recommendation, this will be a recurring benefit.\n     Our estimate reflects only the initial year of this benefit.\n\n\n\n\n                                             12\n\x0cAppendix B\n\n             AUDITEE COMMENTS\n\n\n\n\n                    13\n\x0c14\n\x0c15\n\x0c16\n\x0c17\n\x0c18\n\x0cAppendix C\n\n     SCHEDULE OF CONTRACTORS\xe2\x80\x99 TRAINING STATUS\n\n\n                                 Completed IT       Completed IT       Remaining\n                    Number of   training before   training after OIG   employees\n   Contract\n                    employees   OIG request for       request for       lacking\n                                  certificates        certificates      training\nData entry              3             0                   3                0\nEndorsements           18             1                  16                1\nPostendorsement\ntechnical reviews       8             0                   0                8\n\nSummary                29             1                  19                9\n\n\n\n\n                                       19\n\x0cAppendix D\n\n             SCHEDULE OF CONTRACTS AND RELATED\n                       EXPENDITURES\n\n\nContract number              Contract description             Amount expended*\n\nC-PHI-00974           Data entry                                $     480,698\nC-PHI-00943\nC-CHI-00949           Endorsements                                   3,736,848\nC-PHI-00973\nC-CHI-01018           Postendorsement technical reviews              1,220,826\n                                                                    $5,438,372\n\n* These amounts include the base contracts and related modifications with terms ranging\nbetween September 2006 and September 2009.\n\n\n\n\n                                              20\n\x0c'